ColumnPack:ColumnPack-plugin (=1.0.3), CustomHistory:CustomHistory (>=1.1 <=1.3) +15648 more potentially affected by CVE-2025-48976 via commons-fileupload:commons-fileupload (>=1.0 <=1.5)

commons-fileupload:commons-fileupload MAVEN version =1.0, =1.1, =0.0.1, =0.5.0, =0.6.0, =0.5.0, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.4, =0.8.7 and more Source cves: CVE-2025-48976 Source advisory: SNYK:JAVA-COMMONSFILEUPLOAD-10363252...

CVE-2025-6108

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file...

Mass Assignment Attack

org.springframework, spring-context is vulnerable to Mass Assignment Attack. The vulnerability is due to incomplete enforcement of the disallowedFields mechanism, which allows certain request parameters to bypass intended binding restrictions even after applying locale-independent lowercase...

CVE-2025-6108

Vulnerability CVE-2025-6108 affects hansonwang99 Spring-Boot-In-Action up to a specific commit. The path-traversal flaw is in the watermarkTest function of ImageUploadService.java under the File Upload component, allowing remote exploitation. Multiple sources confirm the issue and public disclosu...

CVE-2025-6108 hansonwang99 Spring-Boot-In-Action File Upload ImageUploadService.java watermarkTest path traversal

A vulnerability was found in hansonwang99 Spring-Boot-In-Action up to 807fd37643aa774b94fd004cc3adbd29ca17e9aa. It has been declared as critical. Affected by this vulnerability is the function watermarkTest of the file...

Malicious code in vscode-spring-initializr (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eade5f13d9d6cf7678dfdf2bac67cfc29db071d6d1682cc6b3aadeac7561e30f Any computer that has this package installed or running should be considered...

MAL-2025-4981 Malicious code in vscode-spring-initializr (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware eade5f13d9d6cf7678dfdf2bac67cfc29db071d6d1682cc6b3aadeac7561e30f Any computer that has this package installed or running should be considered...

hansonwang99 Spring-Boot-In-Action 路径遍历漏洞

hansonwang99 Spring-Boot-In-Action is hansonwang99 individual developer of a Spring Boot series of practical collection. hansonwang99 Spring-Boot-In-Action has a path traversal vulnerability that stems from a path traversal issue that could lead to file manipulation...

Security Bulletin: Vulnerabilities in old Spring Framework versions affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

Security Bulletin: Vulnerabilities in old Spring Framework versions, made disallowedFields patterns in DataBinder case insensitive, affect watsonx.data

Summary In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of...

Spring Framework vulnerable to a reflected file download (RFD)

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

GHSA-6R3C-XF4W-JXJM Spring Framework vulnerable to a reflected file download (RFD)

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (=0.28.0), ai.ancf.lmos:arc-graphql-spring-boot-starter (>=0.1.1 <=0.112.0) +7022 more potentially affected by CVE-2025-41234 via org.springframework:spring-web (>=6.1.0 <=6.1.20)

org.springframework:spring-web MAVEN version =6.1.0, =0.1.1, =0.1.1, =0.0.4, =0.1.0, =0.1.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.6.0, =0.6.0, =0.5.0, =0.7.0, =0.7.0, =0.8.7 and more Source cves: CVE-2025-41234 Source advisory: OSV:GHSA-6R3C-XF4W-JXJM...

ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess (>=0.1.0 <=0.2.0), ai.aletyx.kogito:aletyx-kogito-ai-addons-springboot-adhoc-subprocess-storage-jpa (>=0.1.0 <=0.2.0) +9434 more potentially affected by CVE-2025-41234 via org.springframework:spring-web (>=6.2.0 <=6.2.7)

org.springframework:spring-web MAVEN version =6.2.0, =0.1.0, =0.1.0, =0.114.0, =0.114.0, =0.5.0, =0.8.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.23 and more Source cves: CVE-2025-41234 Source advisory: OSV:GHSA-6R3C-XF4W-JXJM...

VMware Spring Framework 6.0.5 - 6.0.28, 6.1.0 - 6.1.20, 6.2.0 - 6.2.7 RFD Vulnerability - Linux

The VMware Spring Framework is prone to a reflected file download RFD vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

VMware Spring Framework 6.0.5 - 6.0.28, 6.1.0 - 6.1.20, 6.2.0 - 6.2.7 RFD Vulnerability - Windows

The VMware Spring Framework is prone to a reflected file download RFD vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-41234

A mishandling of non-ASCII characters in headers flaw was found in the Spring framework. This flaw allows an attacker to tamper with a file download under specific conditions when content names are user-supplied, and the victim then downloads unintended content. Mitigation Mitigation for this iss...

CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

UBUNTU-CVE-2025-41234

Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download RFD attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input...

HTTP Response Splitting

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to HTTP Response Splitting via the...